Thursday, May 29, 2014

One well-known definition of insanity is to repeat the same action and expect a different result. The Administration's repeated attempts to force China to slow or stop its cyber espionage activities have all failed. And yet for some reason the President and his advisers thought that they just needed to find a different hammer - like a criminal indictment that only served to make matters worse for U.S. companies who need to do business there.

If only there were some examples of how collaboration with China could be successful. Oh wait - there are!

July 23, 2007 FBI Los Angeles CA.

International Investigation Conducted Jointly By FBI And Law Enforcement Authorities In People’s Republic Of China Results In Multiple Arrests In China And Seizures Of Counterfeit Microsoft And Symantec Software

"A joint investigation conducted by the FBI and authorities with the People’s Republic of China’s (PRC) Ministry of Public Security (MPS) has resulted in multiple arrests and the seizure of more than a half billion dollars worth of counterfeit software, announced J. Stephen Tidwell, Assistant Director in Charge of the FBI in Los Angeles, and Steven Hendershot, the FBI’s Legal Attache in Beijing, China."

"The operation, codenamed “Summer Solstice,” began in 2005 and since then, law enforcement in both countries have worked closely by sharing information to jointly investigate multinational conspiracies by groups who manufacture and distribute counterfeit software products around the world. This unprecedented cooperative effort led to the arrest of twenty five individuals, the search of multiple businesses and residential locations, asset seizures by the Chinese government worth over $7 million, and the seizure of over 290,000 counterfeit software CDs and COAs (certificates of authenticity) in China. The counterfeit software has an estimated retail value of $500 million. In addition, Agents with the FBI’s Los Angeles Field Office executed 24 searches and asset seizure warrants, yielding approximately $2 million in counterfeit software products, in addition to assets seized by the U.S. government worth over $700,000. Operation Summer Solstice encompasses multiple investigations currently being conducted by the FBI in Los Angeles and the MPS, Economic Crime Investigation Department (ECID), in which criminal organizations responsible for manufacturing and distributing counterfeit software have been identified in both Shanghai and Shenzhen; as were distributors located in the United States." Read more.

January 27, 2014

FBI Teams With China to Nab Alleged Hackers By Dune Lawrence "The U.S. last week brought charges against two Arkansas men for operating an e-mail hacking website, needapassword.com, which offered to obtain passwords to any e-mail account for a fee. The scheme, operated by Mark Anthony Townsend of Cedarville, Ark., and Joshua Alan Tabor of Prairie Grove, affected some 6,000 accounts, according to a Jan. 24 press release from the Federal Bureau of Investigations. Cedarville and Prairie Grove have a combined population of less than 6,000 people. Yet the investigation into the website stretched around the globe.""Three customers, scattered across California, Michigan, and the Bronx, have been charged with hiring the hackers. One of them, John Ross Jesensky of Northridge, Calif., allegedly paid $21,675 to a Chinese website to get e-mail account passwords, according to the release. The FBI coordinated its investigation with law enforcement agencies in Romania, India, and China, resulting in arrests in all three countries. China’s Ministry of Public Security arrested Ying Liu, also known as Brent Liu, for operating the website hacktohire.net—an arrest noted in the FBI press release and also in a separate announcement on the ministry’s website, dated Jan. 27." Read more.

Doesn't it make more sense to model national policy in cyberspace after successes, like the above, instead of after failures like "naming and shaming", or issuing a criminal indictment that's too weak to ever see the inside of a courtroom?

And let's not try to formulate a policy around an impossibility. Anyone who thinks that China can be persuaded to stop conducting cyber espionage is naive at best. The only time that will happen is when China has achieved a sufficient level of technological advancement where it can rely upon its own domestic R&D to deliver its long-term goals. The downside is that when that day comes, foreign companies (especially U.S. companies) who have been granted access to the Chinese market in exchange for bringing their R&D labs to China will find that things have changed for the worse for them.

Our current ineffective and counter-productive "Asia pivot" stems from early flawed early assumptions on the part of cyber security professionals that all acts of cyber espionage were done by China and all acts of financial crime were done by Russians and Eastern Europeans; that only a nation state could create a Zero-day; that the Chinese government exercised complete control over its own hacker population - all assumptions by the way which have been proven to be false. And the fact that those bad assumptions were ever formulated and accepted as doctrine to begin with is a testament to what happens when intelligence is driven by SIGINT alone without the benefit of HUMINT to confirm the analysis or vet the sources.

The best opportunity that the U.S. government has to manage cyber espionage activities in China is to build on the successes that the FBI has had with the Ministry of Public Security and go after independent hacker groups who are attacking Chinese government websites and Chinese corporations from inside China's IP space. This type of collaboration would yield hard intelligence on the actual identities of hackers who steal for profit. Once some successes are achieved and trust is regained, it might even provide the White House with reliable cyber intelligence estimates based upon in-country sources; i.e. HUMINT.

New Update (6/9/14): Startup founders will also get to meet Henry Shiembob, VP and CSO of Cognizant Technology Solutions: a multinational technology services company with a $30B market cap. Early bird registration is only $199 until June 30, 2014.

(Published May 29, 2014) On July 22 in an exclusive Washington DC restaurant, about 50 30 people will meet 1:1 with the former Dir. of Capabilities Tailored Access Operations (NSA), the CSO of Huawei USA, a Director/GM from Microsoft, a VP from Credit Suisse, and other decision makers. Because the one thing that's better for a startup than getting money from a VC is getting a contract from a customer, and that's the objective of the Security Startup Speed Lunch. Here's some of the feedback we received from our first lunch 10 days ago at Soho House NY:

"Jeffrey Carr’s ability to hand pick the right sponsors and funders and match them with the right startups is really a bit of quiet genius. I was able to meet several companies that had significant interest in my business and already understood the mechanics of what we do. Thank you. Great fun and no blather." - Pamela Meyer, CEO, Calibrate

“The speed lunch format benefits any stage startup. We were obviously the greenest guys in the bunch but I think we probably gained the most. After our second session, we stopped “pitching” and started asking. This helped us to see what we could learn from the person across the table.” - Tom Richards, Co-Founder, Scoutswarm

On July 22, our second speed lunch will be held at P.J. Clarke's at 1600 K Street in Washington DC. Attending startups will get to have lunch and meet one-on-one with an amazing group of executives who have all come out of the intelligence community and into the private sector: Andy Purdy (CSO, Huawei USA), Lewis Shepherd (Director/GM, Microsoft), Edward V. Marshall (VP, Credit Suisse), plus Henrik van der Meuler, Barbara Hunt, Phil Rosenberg, and other internationally known executives, VCs, and decision-makers. I know many of these people personally and have found them to be exceedingly generous with their time, their advice, and their willingness to introduce you to their own international network whenever possible.

You can attend if you qualify in one of three ways:

You're the founder or principal of a cyber security startup that's no more than 5 years old and hasn't raised more than a Series A funding round.

You're employed by a Venture Capital firm or Investment bank.

You're employed at the Director level or higher at a medium-sized or larger corporation.

Tuesday, May 27, 2014

This is an open request for assistance in a project that I've taken on. The threat actor known as Comment Crew (aka Comment Panda, APT1, Soy Sauce, B... C..., ShadyRat, WebC2, GIF89a, and who knows how many other names) has been active for a long time. Since the Attorney General chose some alleged members of this crew to indict and send a message to the Chinese government, I think it would be helpful to establish its provenance and identify how many entities (government, military, and private sector) have contributed to what is known about them over the past 14 years or so.

Here are seven questions that I think will help build out this "family tree". All contributors names will be kept completely confidential.

If you have additional questions that you think should be asked, feel free to suggest them and I'll update this post. Once there's enough information to build out a first iteration of a genealogy, I'll post it in an online Wiki for peer-review.

To your knowledge, who first discovered this group, and what were the circumstances?

When did you discover it?

What name do you use to identify it?

What distinguishing characteristics do you use to differentiate it from other APT threat actors?

Which public and private agencies/corporations do you share information about this group with?

When information is shared about this group, have you noticed a difference in quality of data?

Do you have a data quality management plan for cyber threat intelligence at your company?

My contact information is here at the bottom of the web page. Just click the "Email" link. Thanks very much for your help.

Wednesday, May 21, 2014

Newly appointed U.S. Attorney David Hickton convinced a Western Pennsylvania grand jury that "five officers in Unit 61398 of the Third Department of the Peoples Liberation Army hacked or attempted to hack into U.S. entities named in the indictment."[1] This indictment fails on multiple levels, which I'll demonstrate in this article, but the bottom line is that it isn't actionable (see Jack Goldsmith's article at Lawfare).

It will not only fail to stop China's long-term goal of accelerating its technological development through an entire spectrum of technology transfer activities including hacking, it will make future efforts to work collaboratively with China harder to do. Furthermore, it is a continuation of the already failed "China Pivot" strategy that the U.S. tried to implement against the expansion of China's ADIZ (Air Defense Identification Zone) earlier this year [2].

The great irony in this indictment is that all of the companies mentioned as victims of Chinese government hacking continue to not only do business in China but are working hard to increase sales there. One of the victims, Westinghouse, didn't even know that DOJ was pursuing an indictment [3]. How is it that CEOs understand what the President of the U.S. and his Attorney General do not; that to a certain extent, theft of intellectual property is a cost of doing business. In fact, as the CEO of a company who advises several multi-nationals (MNCs) on how to securely operate in China and other high risk states, I don't know of a single company who has abandoned that market because of hacking attacks.

This article will take a close look at each of the victim companies to see if there is any corroborating evidence that supports the charge that the PLA and by extension the Chinese government is responsible.

SolarWorld AG

SolarWorld AG is a German company with a U.S. subsidiary. It sells expensive Silicon-based solar panels and has been losing money steadily for three years. It filed the German equivalent of a Chapter 13 bankruptcy in August, 2013 [4]. It has blamed its poor sales on alleged unfair trade practices by China who sell a cheaper Silicon version as well as a thin-film version (something that SolarWorld doesn't) [5]. Since it's a cheaper product, U.S. companies who sell and install solar panels prefer to buy from China instead of SolarWorld [6]. The U.S. International Trade Commission ruled affirmatively to support the dumping charge against China while the U.S. Solar Industry lobby group sought to find a compromise [7].

The indictment alleges that the defendant Wen Xinyu stole thousands of files including ones related to the case "which would have enabled a Chinese competitor to target SolarWorld's business operations aggressively from a variety of angles." However, had the U.S. Attorney's office done a bit more research, they would have learned that SolarWorld was already in financial trouble, so unless someone wanted to learn how to fail at being a profitable company, there was nothing about SolarWorld's business operations worth targeting.

More importantly, the Chinese government has only ever been interested in "acquiring" IP related to technologies that it wants to develop, or to accelerate development that's already underway. SolarWorld's technology was Silicon-based while China and SolarWorld's U.S. competitors had shifted to a thin-film module that's cheaper and more powerful [8]. Since China already had a superior technology it would gain nothing by hacking SolarWorld.

Westinghouse

The indictment alleges that in 2010 the defendant Sun Kailiang stole technical and design specifications for pipes, pipe supports and pipe routing for four AP1000 power plants that it was building with its Chinese partner, a State-Owned Enterprise (SOE) and then later in 2010-2011 Sun stole some Westinghouse executive emails. The SOE is the State Nuclear Power Technology Corporation (SNPTC).

While nuclear technology definitely qualifies as something that China would be willing to steal, in this case it didn't need to. Westinghouse had agreed to sell China its nuclear technology and transfer that knowledge through the creation of a joint venture with a State-owned entity to build four nuclear power plants. In fact, the SNPTC was created solely for that purpose [9].

Then, on November 23, 2010, Westinghouse handed 75,000 documents over to the SNPTC "as the initial part of a technology transfer agreement relating to Sanmen and Haiyang reactors" [10].

Had Westinghouse not made this technology transfer deal with the Chinese government, this would have been a perfect case for the U.S. Attorney. He could site the State Council's 2006-2020 National Medium and Long-Term Program for Science and Technology Development, which called for "advanced pressurized water reactor technology" and then point to this Westinghouse breach of data about pipes that are used for just that purpose!

Unfortunately for Hickton and Attorney General Holder, the "victim" (Westinghouse) had already sold the technology to the alleged "criminal", the Chinese government. You don't have to steal something that you already own.

U.S. Steel

The indictment alleges that in 2010, the defendant Sun Kailiang successfully used a spear phishing attack against employees at U.S. Steel and obtained host names and descriptions for servers because of a WTO complaint.

China has long been the world's top steel exporter. In 2013, its share was 48.5%. The U.S. was in 4th place with 7% [11]. What possible motive could the Chinese government have to hack the network of U.S. Steel? There was no technological transfer at stake, and at least according to the indictment, nothing happened to U.S. Steel apart the spear phishing incident. Why is this even in the indictment?

Alcoa

The indictment alleges that in 2008, Alcoa formed a partnership with a Chinese State-owned company to acquire a stake in a foreign mining company and that soon after that partnership was formed, Sun Kailiang sent a spear phishing email to Alcoa employees. There are no further details provided about this attack.

An Alcoa news release [12] revealed that the Chinese SOE was the Aluminum Corporation of China (Chinalco) and that the foreign mining company was Australia's Rio Tinto. The deal was worth about US$1B to Alcoa. However, Rio Tinto backed out of the acquisition just a few months later because of anti-China sentiment in the Australian government [13].

The relationship between Alcoa and Chinalco extended back to 2001 and Chinalco's 2008 deal with Alcoa on the Rio Tinto acquisition was worth a lot of money to Alcoa. There was no tech transfer at stake and the Chinese government would not benefit by launching a clumsy spear phishing attack against its new joint venture partner.

ATI's FRP sector has two Chinese joint ventures: a 60% share in Shanghai STAL Precision Stainless Steel Company Limited (STAL), and a 50% share in a titanium joint venture called Uniti LLC [15]. Overall, ATI isn't doing well financially and its sales to China account for only 5% of its income. Like U.S. Steel, and Alcoa, ATI has no technology transfer value to China. Even worse, nothing adverse happened to the company.

Conclusion

The Chinese government uses many tactics to acquire advanced technology, especially if the foreign company whose technology it wants is doing business in China. It monitors and collects all communications inside its borders. It can demand to see source code. A percentage of every China-based foreign company's employees must be Chinese nationals and all of them effectively work for the Chinese government while they are working for you. If you're a visiting executive from a company which is considered high value to China's national interests, you may be provided with a beautiful translator/tour guide for the duration of your stay who will undoubtedly find you and your work equally fascinating. At the very least, your hotel room will be wired, your laptop compromised, and the hotel staff bribed to report on your activities. And yes, your corporate network will be attacked by government-employed hackers and your files copied - BUT - only if your company's technology is of interest to the Chinese government. Of the five companies mentioned in this indictment, not a single one had technology valuable to China except for Westinghouse which sold China the technology it wanted, and then taught Chinese engineers how to use it.

I haven't seen any proof that these five men were employed by the PLA at the time of these attacks. At least one researcher has convincingly argued that "Defendant Wang" was never a member of the PLA at all; just an admirer. Considering the low skill level of these five defendants [16], it's much more likely that these hackers were acting on their own, looking for anything that they might be able to sell.

And while I can't point to any hard evidence, I have a strong suspicion that this indictment was borne out of political pressure or ambition. I personally know some outstanding FBI cyber crime professionals and I can't believe that any of them would sign off on this had they been consulted. The problem of IP theft by nation states against U.S. companies is ongoing and unrelenting. If this is the best that the Dept of Justice can do, things will get much, much worse for U.S. companies.

Thursday, May 8, 2014

The first SecurityWeek-branded Suits and Spooks event will happen in New York City on June 20-21. We have a packed agenda of cutting-edge topics presented by speakers who have direct experience in combating security challenges on a daily basis. Here are just a few highlights:

Two Combat Veterans (Nate Fick and Dale Wooden) will speak separately about bringing security lessons from the battlefield to the boardroom.

Kaspersky Labs North America will discuss its investment in building a novel public-private partnership model with the U.S. government.

Some of the world's most experienced and successful financial forensics and intelligence experts will discuss challenges to the integrity of the international monetary system.

Three well-known venture capitalists will discuss the current trends in funding cyber security companies, where its heading and whether it will help or hurt our security posture.

There are over 900 security conferences that take place each year, but Suits and Spooks isn't one of them. It is a unique forum where innovative discussions takes place in a private and confidential setting. New York will be our last U.S.-based event for 2014 to be followed by London in September and Singapore in December.

Suits and Spooks New York will be a single track event with 12 sessions and 22 speakers, plus lunch and two continental breakfasts. The early bird registration is only $399. Enroll today and join the discussion.

I came up with this idea because Taia Global, the company that I founded in 2011, is a cyber security startup and last week we signed two Fortune Global 500 customers to our new product offering REDACT. I never would have met those customers without the benefit of Suits and Spooks. So this is my way of paying it forward.

If your security startup is less than five years old and hasn't raised more than a series A round, then you have an opportunity to meet face to face for six minutes to pitch your product to the following high level decision makers; any one of whom could - with a "yes" - accelerate the trajectory of your company.

In addition to the above, you'll also meet 1:1 with other decision makers from corporations, academia, State government, and venture capital firms. This is a very limited-seating event that will run from 12p-3p at Soho House NYC on May 19th. Lunch is included and there will be a cash bar.

If you're a VC, or a Director or above at a mid-sized or larger corporation or State agency and you want to stay current on the latest new security solutions that are about to hit the market, then this lunch is for you as well.

If you'd like to sponsor this event, shoot me an email and I'll introduce you to Mike Lennon at Wired Business Media.